Nintendo has released a new version of [[boot1]], which disables Bootmii as a [[boot2]] hack. Fortunately, Bootmii can also be modified to work as a replacement for IOS, or as a separate IOS ([[IOS254]]). See more at [http://hackmii.com/2009/02/bootmii-and-the-new-boot1/ Hackmii]. Since boot1 cannot be updated, all consoles already manufactured before this update are safe. About 10% of the consoles that ran the BootMii Checker tool have the new boot1.

Nintendo has released a new version of [[boot1]], which disables Bootmii as a [[boot2]] hack. Fortunately, Bootmii can also be modified to work as a replacement for IOS, or as a separate IOS ([[IOS254]]). See more at [http://hackmii.com/2009/02/bootmii-and-the-new-boot1/ Hackmii]. Since boot1 cannot be updated, all consoles already manufactured before this update are safe. About 10% of the consoles that ran the BootMii Checker tool have the new boot1.

+

+

== Console Keys and keys.bin ==

+

Instead of using [[xyzzy]], you can retrieve your console keys from the keys.bin file BootMii v3 or later produces when backing up the NAND. To view them, open keys.bin with a hex editor. Here are the offsets for each key:

+

<pre>ECC Private Key: 0x128 (30 bytes)

+

Console ID: 0x124 (4 bytes)

+

NAND AES key: 0x158 (16 bytes)

+

NAND HMAC: 0x144 (20 bytes)

+

Common key (AES): 0x114 (16 bytes)

+

PRNG seed (AES): 0x168 (16 bytes)

+

boot1 hash: 0x100 (20 bytes)

+

ng_key_id: 0x208 (4 bytes)

+

ng_sig: 0x20c (60 bytes)</pre>

+

+

For a full description of the purpose of each key, see [http://hackmii.com/2008/04/keys-keys-keys/ this writeup on HackMii].

== Media ==

== Media ==

Revision as of 00:44, 18 November 2009

This homebrew makes permanent changes to your Wii's flash memory (NAND) and should be used with caution.

BootMii is a system designed by Team Twiizers to enable complete low-level control of the Wii. It allows the Wii to be controlled mere moments after the On button has been pressed, before any IOS has been loaded and before the NAND filesystem has been read.

Contents

Architecture

BootMii is comprised by four pieces of software:

Installer -- this is a simple ELF file which may be run using your favorite method (HBC, Twilight Hack, or any other exploit which can load standard executables). It checks your Wii to make sure it can safely be modified, saves some vital data for disaster recovery, and installs the rest of the components.

Loader stub -- this is a small bit of ARM code which is injected into boot2, replacing Nintendo's internal ELF loader. When run, it looks to see if an SD card is inserted. If so, it tries to load and execute /bootmii/armboot.bin instead of boot2. Otherwise, it will fall back to loading boot2.

mini -- this is a rudimentary replacement for IOS that is best suited for low-level recovery functions. Source code is available under GPLv2 here.

BootMii (or bootmii-ppc) -- when mini runs, it looks for a file named /bootmii/ppcboot.elf on the SD card. If it exists, mini loads this executable into memory, boots up the Broadway (ppc) and executes that binary in parallel with mini. Source code is available under GPLv2 at (tbd).

Both mini and bootmii-ppc must be present in order to draw a user interface, because the Starlet cannot directly access the Video Interface.

Benefits

BootMii allows anything from Recovery modes (creating a practically unbrickable Wii), to lazy access of the Homebrew Channel. For example, if you have corrupted the System Menu, you can use the AnyRegion Changer to install a System Menu 3.2. Unfortunately, all homebrew currently require an IOS, because libogc requires one. However, there is mini(a homebrew IOS-like software), which can be modified specifically for the program, ie, for better communication to the Linux kernel.

How it works

The BootMii Platform is a boot2 hack, which is loaded by boot1, which is loaded by boot0. boot0 is part of Hollywood and read-only. boot1, although stored on the NAND, is signed by a value in write-once memory and therefore cannot be changed. boot2, however, can be modified. This means it can be hacked, updated, and corrupted. BootMii hacks boot2, and allows running code directly from SD Card, before anything else is loaded. This has many advantages, such as making it very difficult to brick, and slowing Nintendo from blocking homebrew. Unfortunately, the only way we could completely stop Nintendo from blocking homebrew is by patching updates on-the-fly, or somehow preventing overwriting boot2. Wii Menu 4.2 Fixes the bug found in boot1 on older wiis and completely removes it if it is installed if you update from a previous version; Which means if you downgrade from 4.2 and it bricks you there is no getting it back.

Compatibility

BootMii should be compatible with most Wiis released before late 2008. Support for newer Wiis (with reduced functionality) will have to install BootMii as an IOS

Required hardware

BootMii will not require any special hardware. However, special hardware might help accomplish things that BootMii by itself cannot, such as hardware NAND write protection and isolation from the Nintendo software stack. No such hardware exists yet though.

The new boot1

Nintendo has released a new version of boot1, which disables Bootmii as a boot2 hack. Fortunately, Bootmii can also be modified to work as a replacement for IOS, or as a separate IOS (IOS254). See more at Hackmii. Since boot1 cannot be updated, all consoles already manufactured before this update are safe. About 10% of the consoles that ran the BootMii Checker tool have the new boot1.

Console Keys and keys.bin

Instead of using xyzzy, you can retrieve your console keys from the keys.bin file BootMii v3 or later produces when backing up the NAND. To view them, open keys.bin with a hex editor. Here are the offsets for each key:

Media

Screenshot. Click for larger image.

Video source: Marcan's early BootMii demo. The hardware mod in the video is unrelated to BootMii.

History

Beta 4

Properly write the keys to nand.bin :

This fixes the “NAND dump is from another Wii” issue on restoring beta 3 backups. If you don’t know how to fix those dumps, you have to backup the NAND again. Dumps from all other versions are not affected.

Beta 3

Improved the SD card compability

Increased the backup/restore speed for some SD cards, but decreased it for others :P